[Samba] Samba 4.2.14 Group Policy (GPO) sync error

rme at bluemail.ch rme at bluemail.ch
Wed Aug 3 13:19:03 UTC 2016

Hi Louis,

Many many thanks for your very quick and comprehensive reply.
I also found this thread here 

Unfortunately none of the suggestions seem to entirely resolve the issue.

As a first work-around I have inserted
     ldap server require strong auth = no
to my smb.conf and re-started Samba.

Unfortunately this didn't change anything. I am still getting the same errors 
from gpupdate.exe (with the same errors logged to event log) claiming name 
resolution failure while samba logs report:

[2016/08/03 15:17:45.609250,  1] 
   gss_unwrap_iov failed:  Miscellaneous failure (see text): unknown mech-code 0 
for mech 1 2 840 113554 1 2 2
[2016/08/03 15:17:45.609387,  0] 
   gssapi_unseal_packet(hdr_signing=1,sig_size=45,data=144,pdu=176) failed: 

I am not fully sure about the MS changes though. My GPO all list "Authenticated 
Users" in the "Security Filtering" section in Scope tab. I unsure where to 
insert the "Authenticated Users" group in the GPO with read permissions. Does it 
mean I should add "Authenticated Users" in the Delegation tab? If yes, then all 
my GPO already have this entry in Delegation tab:
- Authenticated Users, Read (from Security Filtering)

I also tried inserting Domain Computers with Read permissions to the Delegation 
tab. No change in the result though.

I also tried to remove the "Authenticated Users" entry from Security Filtering 
with and without adding it to the Delegation tab at no avail. It still complains 
about name resolution failure on domain controller.

I also added the admx templates sucessfully to sysvol but this did not fix the 
GPO processing issue (as expected).

In addition also samba-tool ntacl sysvolcheck returns the same error as 
indicated in the thread above:

# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
does not match expected value 
from GPO object
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, 
in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 249, in run
   File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1730, in checksysvolacl
   File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1681, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line 
1628, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not match 
expected value %s from GPO object' % (acl_type(direct_db_access), path, 
fsacl_sddl, acl))

Though according to 
<https://lists.samba.org/archive/samba/2016-July/201448.html> this might be a 
samba-tool issue.

Though I don't think it's related to the error as it looks like somehow it's not 
about permissions or issues on sysvol share level but rather crypto/signature 

Moreover I tried a bit more GPO debugging as instructed here: 

Perhaps the following log line points out an error:
GPSVC(3a8.b94) 15:07:34:198 ProcessGPOs(Machine): MyGetUserName failed with 5.

The full log can be found here:

Many thanks again.

More information about the samba mailing list